[systemd-devel] DynamicUser and root:root/0640 configuration in /etc

[Lennart Poettering]

On Fr, 31.01.20 13:35, Igor Gnatenko (i.gnatenko.brain at gmail.com) wrote:

> Hello,
>
> I am writing systemd service for one software and I found out very
> nice thing that you don't have to create users just for the service
> and it can be done via DynamicUser in runtime.
>
> However, the software has configuration file in /etc/foo where
> sensitive credentials are stored so the /etc/foo is owned by root:root
> and /etc/foo/config is owned same way and has 640 permissions.

Hmm, but if the service is supposed to run unprivileged, how is it
supposed to be able to access that?

> If I use DynamicUser, it can't read /etc/foo/config due to
> permissions. I have tried to set ConfigurationDirectory=foo, but that
> does not change permissions on those files... After all I found
> SupplementaryGroups=root fixes the problem, but I think this destroys
> whole purpose of DynamicUser.
>
> Am I doing something wrong? Any suggestions how to deal with this?

Hmm, well, you need to somehow make sure your service's UID can access
these files, if you use such restrictive access rights under some
other user's UID, this cannot work of course...

You could have an ExecStartPre= line that copies the stuff from
$CONFIGURATION_DIRECTORY to $STATE_DIRECTORY, that uses the "!"
marker, so that it runs with full privs, and chowns the copy. That way
every time the service is started you make a copy that is properly
owned.

In the long run we should probably have some sane per-service
credential system, maybe via the kernel keyring, or passed memfds or
so, but so far this hasn't materialized...

Lennart

--
Lennart Poettering, Berlin